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E-Business has transformed the landscape in which applications are used — from an environment of 
limited access to one providing wide open. "24x7" admission. This has created new and more difficult 
security problems that many companies are only beginning to discover. 

Today, Intemet security is comprised of four elements: 1) antivirus protection at the desktop, 2) data 
encryption and authentication for transport, 3) network firewalls and advanced routers at the network- 
layer security, and 4) manual patching for application-layer security. Encryption and virtual private 
networks, using algorithms such as SSL, provide security for data traveling over the public Internet. 
Firewalls prevent unauthorized network-level access to the server systems on which e-Business 
applications reside. The reality is, neither network firewalls nor encryption schemes like SSL protect the 
web application itself. Web application security ensures that Web applications can only be used the way 
they were Intended by the developer. Any attempt at manipulating them is directly blocked, preventing the 
unauthorized use of an e-Business' resources or customer information by hackers attempting to gain 
access to the online network directly through the application itself. 

When the web was developed, the original concept of a web application did not exist. In fact, the web's 
original developers never thought of the web as more than an effective method to deliver static content 
that would be updated and published much like a book. Quickly, functionality was added to collect input 
from the user, but the concept of a web application would not fully develop until the web servers were 
connected to the data bases themselves and web pages were no longer written by hand but generated 
and customized based on a users request. Today, Web applications are comprised of Web servers. User 
interface code, front and back end applications, and databases. Thus Web applications today house the 
most valuable assets a company has. namely their digital assets and data. 



Current approaches to web application security address security issues at the last and most expensive 
stage of the development cycle— deployment. This approach often includes a line-by-line code review for 
security holes, sometimes at a cost of up to 50 cents per line. In fact, most sites add so much new code 
every day that they could never hope to keep up by patching or fixing holes manually, making the majority 
of sites insecure. Because security is checked at this late stage, and a never-ending stream of security 
patches are released by 3'^ party vendors, the process becomes one of great expense, consuming time 
and resources through the required vigil the site owner must hold watching for potential security 
vulnerabilities. This rapid charge of Web application development has made "24/7" uptime and site 
security impossible. 




Figure 1: Anatomy of a Web application 
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To address these Issues, Sanctum has developed AppShield™ software, the Industry's leading Web 
Application Firewall solution. Sanctum's AppShield software Is a Web Application Firewall built on a 
security proxy architecture that enforces a positive security model blocking any type of application 
manipulation. It is an active system that monitors and responds to any unusual or unauthorized behavior 
anywhere within a site, blocking attacks before they can reach the site. 

The web application security provided by AppShield ensures that Web applications (both the application 
and Web logic) can only be used the way they were Intended by the developer. Any attempt at 
manipulating them Is directly blocked, preventing the unauthorized use of an e-Buslness* resources or 
customer Information. Even un-patched and Insecure systems are made secure by AppShield allowing 
site owners to perform security patching with regularly scheduled maintenance. Most Importantly. 
AppShield does not require any patches or signature files to stay up to date, so the unpredictable 
and costly cycle of security vulnerabilities and patching is broken once and for all. 

ApoShieid Provides Enterprise Strenoth Aoplication Security 

Prevents application level attacks such as: 

1. Stealing company assets such as employee files, will be prohibited 

2. Commerce sites will be protected against anyone falsifying buy/sell transactions 

3. Hijacking confidential customer information, such as financial portfolios, will not be allowed 

4. Site Defacement will be impossible 

Protects company assets, reputation, and revenue streams 
Assures consumers that their privacy is protected 
AppShield is automatic 

*^ Automatically secures existing and future applications 
Automatically secures third-party and custom applications 
AppShield is designed for e-Business 

Allows for rapid application development and deployment 
^ Enables greater focus on core competencies 

*^ Is tuned for high performance, scalability, availability, and manageability 

AppShield offloads the application security responsibilities from the development team by providing an 
automatic solution to a very complex and daunting problem. AppShield is the ideal solution for any 
organization, from the large multimillion pages-per-day operation, to the small single-server site. When 
you are Secured by Sanctum, you can be sure your valuable digital assets are secure. 
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AppShield enforces a positive security model. AppShieldlitsVs'^ pfo^ btt^^ - .? 

and the web server. AppShield employs Sanctum^ unique. patentTCamic PoHcrS^non^^^^ 
Engme DPRE) technology to examine and enforce application security poKTn real time wiS mn.'I 
S^t^h^L"^*^ '^'""J^ ''^'^ developed. This type of positive pdi^ requires no SatTJl sTana w 
adS^^t'on"''"" *° "'"^ ^'"^^^ "P to 'date, and re'q^ 'SS 

7:r£s.:^;LiiT£..T^^^^ ^--^^ -'-^ ?«enf^sid/rogr^^^^^^^ 

l^Sm^ scalable proxy platform. AppShield can support sites receiving millions of hits per dav 
toterL'it^uS "^""''"^ 9^^^*?^ scalability^s well as a trSfy St 

2.1 The Positive Security Model 

A positive security model enforces intended behavior vs. watching for unintended behavior In oth,.r 
words, positive security only permits good behavior vs. preventing bad STavW pSe securifv 
assumes an administrator and/or developer can define the ways in which you wVnt ^user t? i^eract wiJh 

The benefits of a positive security model are: 

^' nroSL? '^"^"''^ patches, signatures, or continual updates And thev 

protect against unknown vulnerabilities. ukuciib!>. mrq xney 

2. A positive seojrity tnodel contains a complete set of valid requests. There are no unknowns 
Thus, the number of false negative and positives is significantly reduced. unknowns. 

Positive polteies have a better ROI. They require little main memory and no disk space makino 
them very efficient at processing requests. '^^^ making 

Sn?I'l«^^''t'"*^ r^'P.^ significantly lower Operating Costs due to less administrative overhead 
since no continual updating is required, and the elimination of unplanned rnaintenance d^wntirSf 

2.1.1 Security IModel Comparison Table 



3. 
4. 



Positive 5ecui1tv>MQdet' 


Negative Securitv^Mo'deJfii-^-^'^^o^' 


Complete 


Incomplete 


Accurate 


Uncertain 


Efficient 


Wasteful 


Non-signature based 


Signature based 


Low Admin 


Ongoing Admin 


Small Footprint 


Large Footprint 


Low Resource Usage 


Heavy Resource Usage 


Non-disruptive 


Disruptive 


No unknown requests 


Unknown requests (good & bad) 
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2.2 Protecting the Application as well as the Web Server 

Your web application is unique. It is developed for the needs of your customers, partners or emolovp^c 
Any vulnerability found in your application will not be widely known, cannot be patched bv anvonrh ; 
you. and will most likely go undetected until it's too late. paicnea Dy anyone but 

t^^'"^* application vulnerabilities is much more difficult and more important than orotectina 
only the web server itself. AppShield elegantly solves this problem by using Sanctum s patented Dvnar^ir 
Policy Recognition Engine (DPRE). The DPRE analyzes all data passed between the c^ent a ndTh« 
server, closely watching all of the requests that are made by a user and makinaTurrthat thJ>li,fJl ! 
in the URL cookies, hidden fields or any other HTTP elements are normSed by he user Ad J^^^ 
Site LnH?V'! 'T- - any time during thelfinU^ctton wJhy^^^^^^ 

^^nHhnVr 'Choices they have been presented. This enforcement placeTa 

fhTm t^f u It «.^f^"ser visiting your site, effectively walling them off from other usTrs ^nd forcina 
them to follow the intended browsing path your site was designed with. ^ 

In addition to protecting the application logic. AppShield's DPRE also protects the web server aaalnst »ii 
known and unknown attacks without signatures or updates. This includes known vJlnerSes seSer 
based worms holes or mis-configurations in the web server itself, as well as new attacks for which^^^^ 
eaSy Ked ^''"'^ AppShield s DPRE can effectively identify the valid requests, unknown atSSare 

>VpShield's Dynamic Policy Recognition Engine automatically identifies the security policy of each HTML 
page by processing in real-time the page elements (Figure 2) ^ 



Transfer - Netscape 



'i<i 




Figure 2 
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In the case of a hacking attenfipt. the Dynamic Policy Recognition Engine will determine an illeaal reauest 
IS being sent to the application. Instead of relaying the Illegal request. AppShield logs and blocks the 
request and then invokes a Response Page (Figure 3) which dynamically generates a custor^ized 
message that is sent to the user informing them of their actions and explaining what they mioht have 
done wrong without terminating the user session. If a user continues submitting illegal requests beyond 
the configured threshold settings, then AppShield will terminate the offending user session AoDShield 
also invokes a timeout page in case a request is sent after a users session has timed-out ' 



"JX^S^ {?■ ^•ft — ~ >~ ^ ""T f 



>.. :"^njjin»».aUf .l5[f«i ^rrifv«^ ........ 

:\^^f^r;stiit>^:;^.: ' ..-^ .... .. ............ ... 

;;hCmieiU5^;: . . . ^ -.-x .< <: -rr-^-^^^rt-:;^^'^.: 



Figure 3 

2.3 The Client Side: Trusting the Un-trusted 

For a web application to keep track of its users, each user must "remind" the web application with everv 
request who they are. Traditionally, this was done using cookies, which were designed for this task The 
web application would set a unique value or session ID in a specific cookie and send that to the browser 
atter the user had logged in. Automatically from that moment on. the web browser would send the cookie 
information with every request. Several other methods have been offered for users not wishing to use 
cookies, however, they all require that some form of session identifier be stored on the client and sent 
with every request. viicm anu acm 

The problem with these methods is that anything stored on the client, can be modified by the client 
For example the following URL describes a site where the session ID is stored in the URL: 

HTTP://www.xyz.com/index.html?sessionlD=5 

Using only a web browser, one can go firom user to hacker in seconds by simply modifying the URL itself 
Where I had a sessionlD=5 in the valid request. I can easily change this to sessionlD=7 and enter or 
access the information for another user, without any authentication. 

'^'^ P'^°^'®"'- SSL ID matching. IP matching, and session ID encryption have been 

added to the mix. all significantly increasing the complexity of the web application None of these 
solutions can guarantee or even notify a security administrator when a user is attempting to modify any 
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value on the client side. In the end, the web application is forced to trust the client side that extends far 
from the trusted environment of the web server passing through the Intemet and onto the desktop of any 
person in the world with a web browser. uc!»Mop ot any 

siSf S?'*^ immediately detects and prevents application hacking attempts before they happen. 

1 . Hidden Manipulation - Modification of state information stored inside hidden fields 

2. Buffer^ Overflow Attacks - Sending too much data in a request to the application, attacking 
either 3rd party or internally developed code. 

3. Parameter Tampering - Manipulation of the parameters being passes in the HTML (changinq 
content of parameters, adding parameters, deleting parameters, etc.) 

4. Known Vulnerability Protection - Problems in commercial products (web servers, application 
servers, etc.) 

5. Cross Site Scripting - Inserting scripting languages into text fields to be displayed to other users 

6. Forceful Browsing - Jumping directly to pages that can normally only be accessed through 
authentication mechanisms ^ 

7. Stealth Commanding - Planting Trojan horses in text fields that cause the web apDlicatlon to 
perform commands it is not intended to do 

8. Backdoor and Debug Options - Exploiting vulnerabilities left open in internally developed code 

9. 3rd Party MIsconfiguration - Exploiting configuration errors In 3rd party components such as 
web and database servers fit- . ouwn c«» 

10. Cookie Poisoning - Changing a cookie's content 



AppShield 4.0 
©2003 Sanctum. Inc. 
www.Sanctumlnc.com 



8 



p3.| ArchifeGture and Techhpjql^; ■ 2: J 

3.1 AppShieid Architecture 

fS^tI."^ ^ a secure proxy to provide the platform for AppShield's Dynamic Policy Recognition 
Engine. The benefits of proxies are well known and provide a true barrier between the outside wortd and 
your web applications. AppShield's secure proxy evaluates every request for RFC compKance birffer 
overflow attacks, and invalid HTTP headers as well as translating all requests to a comr^rnforSS* before 
S^nool- the security engine. Because all requests must be understood and well formed 

dunng this process, all encoding type attacks will fail, as the true request will be revealed for what it reaHy 

When a user starts an application session by directing his browser to an e-Business site AppShield.first 
venfies that he page accessed is indeed a legal Start URU for the site, a previously blokmSd paae 
or a signed link. For example, the site administrator may declare the home page to be a legal »a/f S??L 
as well as any page under the "Products" section. After the initial check is done. AppShieid creates an 
app//caton session token and stores it inside a cookie'. This cookie is used in a I fotSre tranSons to 
uniquely identify usere The AppShieid cookie also has an added advantage in that it can S Sd to 

kH^ f session is established. AppShieid analyzes each HTML page that belongs to that session as it is 
being fon.,arded to the browser. The patented Potfcy Recognition Engine examines the page toSkfng fir 
informa^on such as CGI parameters, hidden field values, drop-down menu values, and ma^f^uSe of 
expected text fields^ Based upon this run-time analysis. AppShieid automatically deterrni^lsTfTpoSt^l 
valid requests and builds a positive security policy for the application. As the web server generates more 
Sllidreq^este dynamically/automatically adjusts the security policy for the session aKS for^Sl? 

L«rttn!i°H",t!f/^f"""^ AppShieid can also protect the entire application, including 

rsf^ ..th if ir T^- fPP"<=3t'°" servers or legacy systems, as well as client code (client side logic or 
CSL) such as JavaScnpt. Java. ActiveX, It is important to understand that when using CSL such as a iava 
component, this component is executing in an un-trusted environment and its behavior needs to be 
closely watehed Just as all user requests are validated against the AppShieid dynamic policj so are the 
requests generated by any client code. Because of the unique ability of AppShieid to carefully confrol and 
logTcr?:n^e;S"h'l^^^^^ ^""'^ ^"'^^ web Application or in an^y^^c^t'slSe 

Extending the security to client side logic is done using the Intelligent Policy Creation and Editinq tools 
These mechanisms assist the user by automating the definition of policy rules that tell AppShieid how to 
S^rmnii^-^ th^ ^ '^r * T S^^r^t^'! °^ -""dified by a program such as JavaScript on the cHent For 
^mi/' 1^ ^PP''^3tion employs JavaScript code that pre-loads or animates GIFs taken from directory 
/images/. AppShieid generates a rule to allow all of the requests of the form 
/images/<tegaLfller,ame>.GIF. Other rules can be used to inform AppShieid about operations such as 
hidden fields or cookies that may be manipulated by a programming language on the client 



^Defining the Start URLs is one of the few configuration activities required when installing AppShieid 
app°icaTirse''itoirtoten^ AppShieid digitally signs the content of the original cookie and only ihen appends the 
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Installing and configuring AppShiel'dH a'simpiranV'underetandibTe ^ 
consists of two sinriple steps: Installing the AppShield security engine on each AppShield machine (or web 
server) and then installing the management console to complete the configuration process The basic 
configuration required is simply to specify the IP of the AppShield system and the IP of the web server to 
appSSr AppShield can begin to protect and process the traffic for your web 

AppShield s network and system configuration tool, which is part of the management console can be run 
remotely to configure all AppShield nodes simultaneously. -■'•oie. can oe run 



Conflgurotion ?ool 



hai.o.6o 



i>a£ktiema;cctfn il0.l.0.6O 



■iwww.hackdBmoxom 



-v"t*^^■!;»l•'^^■!^! 



CtegrtoiCtear 



18080; 
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Figure 4 



In most cases, very little security configuration is required since the Dynamic Policy Recognition Enaine 
automatically enforces the most secure configuration for your site. If your site employs heaw use of client 
side code. AppShield has intelligent Policy generation tools to facilitate rapid deployment while still 
achieving a high level of security. As previously discussed, client side code poses extenuatinq securitv 
chanenges in securing web applications. AppShield has a very simple and elegant way of creating policy 
such that the site, including the client side code, is protected. Sites using client side code such as Java 
ActiveX. JavaScnpt and others can be quickly configured to work with AppShield without manually writing 
lA?.^^ ..t^' ^'^'lP°'"=y generation process is critical in ensuring the safe execution of client side code 
Without this mechanism, the security of the web site cannot be ensured. 
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4.1 Policy Management System 

The AppShield Policy Management System provides a dashboard from which the policy can be created 
and managed. The AppShield Security Templates provide a 'quick start' for implementino sfte cnl^r 
pohcy. While the Automated Policy Generating tool facilitates the raprd leamiTr^^^^^ 
and automatically generates policy that can be used instantaneously behavior 



4.1.1 Security Templates 

L»i''t^f^"i*?'!:®''®' T!?"' "^^^"^ Template you want AppShield to start from on vour 

site. You may choose between three predefined security levels or customize your own unique leveL 



. Configuration Tool 



;r!7'^i?^*f*?**°f:^/l' , -^l^^ 4(J:.\; ^^^i?^^^^ \ j-i ; ;uRL;fctepping' ^ 
.>.Becu%enforeementmode.l - %y : {Acttve mode 3 ! ^ ' ^ 

' ' r Security tevil Sa«i'n»s - f -^^f -^^ : t^- A . — ^\ ^ ]\ ; .I^^i:.^ . ^^II . ^ ± ^ J/^s.^:^'. _ J ^ ' 



\ " -Cf<»sSrteStffptoi9,steaimcoiTm»an«ftn0,ftuifer overtop ; 



Figure 5 



The predefined options are based on Sanctum's security recommendations to find the optimal balance 
^d™H^^^^ f configuration and level of security desired. The custom security level oSn allow^^^ 
^nnnr^^^^^^ to determine their own security settings based on their intimate knowledge oJJheSte anS 
application secunty pnnciples. There are three predefined Security levels. 

Strict 

Provides complete protection against: cross-site scripting, stealth commanding, buffer overflows 
cookie poisoning, third party misconfiguration, known vulnerabilities, forceful browsing hidden 
manipulation and parameter tempering. If the site contains a lot of CSL AppShield will require the 
use of the Policy Creation and Editing tools to tailor the policy specifically to the site 
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Intermediate 

Provides complete protection against: cross-site scripting, stealth commanding, buffer overflows 
cookie poisoning. Provides good protection against: third party misconfiguration Wri 
vulnerabil.t.es. forkful browsing, hidden manipulation and parameter tempering ? the sile 
contains a lot of CSL AppShield will require some use of the Policy Creation and Editing tools to 
tailor the policy specifically to the s|te. t^umng roois to 



Basic 



Provides complete protection against: cross-site scripting, stealth commanding, buffer overflows 
cookie poisoning. Provides good protection against: third party mis-configuration knoS 
vulnerabilities, forceful browsing. Provides limited protection against: hidden rSanipulation anS 
parameter tempenng. If the site contains a lot of CSL AppShield will likely go in configured for the 
s|te and the Policy Creation and Editing tools may be used to tailor the policy speciSy to tK 

Custom Security Levels 

to thf eL^Sevd^the^^^^ '^"^ administrator can tune and configure the security of their site 



4.1.2 Automatic Policy Generator 

Imn'S^SoH'h it "ecessary for the administrator to understand how to write policy rules or to 
understand how the application is intended to function. All that is required is a workstation with a web 
automatically create the security policies needed. In Apjshield you simply sSeX th*IP 



any rules required by AppShield. 
4-1.3 Policy Organizer 

The Policy Organizer's rule manager allows you to have a simple view of all the individual policy rules 

configured. You can sort them by any property and also define the "application" associated w thS 

so you can manage each group of rules separately. v^waieu wiin eacn ruie, 
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Figure 6 



4.2 SSL Configuration 

AppShield includes complete support for SSL enabled web sites and can be used as a central 
S™f ^l""*"* *?rf S)' """"^^^ °^ applications and the SSL certificates for one or many web 
n««f„^Z."Hir'^' f^rt'fi«=«t«« be installed into AppShield. You have the ext?a TJtton of either 

?^6i'^T^r::^siz'^T '"^^'"^ "^'^ ^^^^^ °^ re-Wp«nr 

Installing and configuring SSL in AppShield is as simple as taking, your existing SSL certificates already 
a^^l JfZ^Jr' '^'^r ""porting them into AppShield. In addition to this, you can afso ^ 
aXrity of y^^r choiS ^'^^^''^ ^^'^ ^^^ificate 

4.2.1 Client Side Certificates 

AppShield 4.0 includes built in support for PKI enabled web applications that use SSL client certificates 
Because AppShield is a proxy server, it breaks the connection, requiring that any SSL cSTnecHonrifco 
be re-estabhshed. Client Side Certificates or CSCs present a unique problem fofpro^ seJ^s srnS 
reSves 'he'SirirtTr'^^ interception. In order to support this method of authenticJ^^on AppsS 
receives the SSL certificate, opens and analyzes its contents, and if valid, passes the individual client 
certificate data elements to the web application via special HTTP headers. 'naividual client 

certificate data to pass to the back end web applications without being lost at the proxy 
For companies that are looking to add PKI support In the future. AppShield provides the necessa^ 
few rh«"nn"'' ''V """^ ''i^' ' ^""^ ^^"^ applications are not yet PKI awtre WiS^orSy a 

CiLt CertT ^^^""^ applications can take advantage of the additional security offered by SSL 
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^ Cofifigur at/on Too! 



* j ^- - . - V _ _ - ^ 

I ^ J ^^BnUcaton Enforcement l^or Resources ? - - ~v ^ -11 r^-ZT*, — - Ll^ \ 



: >, I Resource atimenficafianr 



^..L- -^Stiuest authentication m Passive modes, n. ^ v ^ s ^ ^ 



OK 



J. 



Figure 7 



?^l^hii^"j;"r«^tl"T^^^ *° «'"fi9"^« the HTTP header values that 



AppShield will pass to the web server 

mm 




p S«nd VftW From •» headsr 
p SendVatoToinheacier 



^ALDFROM 



J/ALioro 



l?"Ssrwi&<brfrCertlWcaeinhe8iter:: f3?TincATE 



^ Cancel 



Figure 8 



SlMaftagement 
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JiiSt'*^'^ approach provides ar powerful management system that makes the product very easy to use 
J! the si2 " ^'^ ^ Java-based GUI. which centrally controls all the AppShieW unrts deployed 

5.1 Management Console 

IIlJ^'^-®^'®!? '^^"^9®'"ent Console shown here provides a continuous, real-time readout of all web site 
fn?r£;ion r P^f f-P«^-«««'"d. hits-per-second. and the total number of users onSne S ^Snptex 
|nstallat.ons with multiple server locations, the Webmaster can manage all of them from a single SSe 
To access each location the Webmaster simply clicks the appropriate button at the bottom of the^creen 
™ h"""^ f ^PPShleld is tracking 120 hits/sec (10 million hits per day) 1?0 clncuTreni 

users and one AppShield nodes as indicated by the buttons at the bottom of the screen AppS can 
Sho hlsTeaSerpabtir """""^ -^"""'-^^-t- ^ -w the console and one Sl^Srl^r 




r- A - -/!• -■ A t 




Figure 9 



5.2 Attack Track™ - The AppShield logging system 

'^^^^Itt-^T^^? ^"""^"^T' '^^^^"T °^ ^" *° system logs in 

f^ifSs^fTh^s^^^^^^^^ *° - - — -i;rrg 

LriXd ^nd rSorSd ^^^^S^^^''^'^'^ "^^^ "^'"^ '''' ^^^^^^^^'^ ^° 
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5.2.1 Privacy Compliance Controls 

In addition to providing detailed infomiation on the actions of your users, including valid and invalid 
requests. AppShield provides the administrator with the ability to hide sensitive fields from the loqs Th s 
makes sure that the confidential information of your customers such as credit card numbeS and 
passwords .s not recorded In the logs. To configure this option the administrator selects the "H^Se 
Serisitive Data- option and configured the specific fields that should not be recorded in the logs Instead 
w tSn ASlktefd ^ °' ^"'^^^^^^^ ^"^ not be Itored'ahSe 
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5.2.2 Log Management 

AppShield logging uses a SQL database for storing and accessing the logged information that can easilv 
be accessed by th.rd party tools for log analysis. All events are time ordifed with Se vSwer suoDoS 
reseable and positional fields with double-click expandability through pop-up wndows %l recorded 
events can be used as a powerful forensics tool since they provide the LI. souri and nature of1£ 

?^ctketr foi^l^e^fn^^^^^^^ '^"^^'^ track window and can 




Figure 10 



rioM f " ^''u** ^"'^ *° writing Policy Refinement rules 

VVhen nght-clicking on a request that you want to allow you can choose "Allow this request" ootion thai 
will create a oile to allow this request ft-om now on. request option that 

5.2.3 Log Configuration and Fine Tuning 

AppShield provides the ability for the admin to specify resource utilization and the type of image files to 
record or exclude from the log file, allowing for easy to maintain and easy to read logs Applweld 5so 
ri°uTe^°" ^ ""^""^^ "° •^^^ '^''^'"'^ activity for as tonkas ylC 
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5.3 Alerting Features 

Whenever AppShield encounters a hacking attempt it can issue a special alert «5..nn«r»..H ■» 
mechanisms are Popup console. SNMP. email, and OPSEC ready LST Atert mref Sid 
configurable through the management console. oevices. Alert threashold settings are 

5.4 AppShield Watchdog Technology 
6.1 Host Based Deployment 

Ju^!!!!^^iSr^\^^^ deployment of AppShield without adding complexity to the network 

It IS installed on the same computer as the web server. Hi^Auy la me neiworK. 




Figure 11 
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6.2 Gateway Deployment 

Using AppShield as a gateway does not require any software installation on the web server sv«;t^m i„ 
this configuration AppShield runs on a dedicated machine and connects to one or mire weTserJeS Th^ 
configuration below is fully compatible with existing load-balancer technology 




Figure 12 



!!atf?rJ[s^^^^ AppShield can run on Solaris (2.6. 2.7. and 8) or Windows (NT and 2000) 

The Minimum System Requirements for the AppShield machine are: 
Windows Minimum Requirements 

• Computer: Pentium ill PC. 500 MHz (Pentium III 933 MHz recommended) 

• Operating System: Windows NT Server 4.0 with SP3 or Windows2000 SP2 

• RAM: 512 Mbytes 

• Network: 1 0/1 00 Mbps NIC (Dual 100Mbps NICs are recommended ) 

• 16 bit color display (for management console) 

• Disk: 500 MB free disk space 
Solaris IMinimum Requirements 

• Computer: Sun Ultra II, 440 MHz 

• Operating System: Solaris 2.6, 2.7 and Solaris 8 (Sparc only) 

• In order to install AppShield. some patches available from Sun may be required 
Dunng installation, a list of missing patches will be generated. See "Appendix 
Solaris Patches in the manual for a list of all recommended patches and information 
on how to check your system for the required patches 

• RAM: 512 Mbytes 

• Network: 10/100 Mbps NIC (Dual 100Mbps NICs are recommended ) 

• 16 bit color display (for management console) 

• 0isk: 500 MB free disk space? 
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7.1 AppShieid Performance 

?s ^ftJSIlf^^ *° ""^t^- ^'^^ performance demands presented by growing e-Business sites 

Its streamlined design combined with efficient SMP support enables AoDSheld tn h^^^^^ 
performance on a single CPU as well as scale to meet the needs of the lara^^^^ ^ ^'^^ 

using SMP machines. The average added latency of AppSN^^^^^^ 

below show an analysis of transactions per second and throughput on a Pm 933MIH2 ^ ^^^ 

Test System: Pill 933 MHz, 100Mbps NIC 



Transactions Per Second 




HTTP 



Figure 13 



Throughput (Mbps) 
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HTTP 



Figure 14 
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7.2 Scalability 

AppShield is capable of supporting any number of concun-ent users, limited only by the amount of 
memory used (the minimal recommended configuration allows for thousands of concun-ent users^ in 
addition, several AppShield nodes can be linked together, if needed, to protect a site or sites In this 
configuration, a load balancer is used to distribute the load evenly across the AppShields This can be the 
same load balancer that is also used by the web servers so additional hardware is not required TWs 
enables the site owner to expand their site and add capacity by simply adding additional AppShields. 

AppShield is also tuned to take advantage of multiple CPU systems effectively and will take advantace of 
upgraded hardware without modification. couvdmageor 

7.2.1 Faiiover 

As part of the scalability mechanism where there are multiple systems, there is also a built in method to 
handle any failure of the AppShield system. Each AppShield node maintains a link to the other nodes and 
tifu* ^ node failure and immediately be ready to take on the traffic originally destined for the failed 
node. When the failed system comes back on line, it is automatically re-inserted Into the AppShield fami. 

Mpponieia is aesigned to work in the complex e-Business environment. AppShield interoperates with the 
following products and standards: 

• Any web server such as iPlanet, Microsoft's IIS, and Apache 

• All major web browsers such as Microsoft Internet Explorer, Netscape Navigator Ooera and 
AOL Browser »- » . k . 

• All major load balancers such as Cisco Systems Local Director, Radware's Web Server 
Director, F5's BIG/IP, and Resonate's Central Dispatch 

• Any application server such as GemStone Systems, Secant Technologies. NetDynamics 
Application Server, Allair Cold Fusion. BroadVision and Oracle Application Server. 

• Any web statistics utility capable of extracting user information from cookies such as 
WebTrends. Capable to create HTTP logs In a centralized place to ease statistics analysis. 

• Any firewall such as Checkpoint's FirewalM and Cisco Systems' PIX Firewall 

• SSL Accelerators such as Rainbow and nClpher 

• SSL Global ID support 

• SSL Client side certificates 

• SNMP support for alerting 

• OPSEC ELA (Event Logging API) certified 

• OPSEC SAM supported 

• ODBC support for exporting log file information 
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• Internet Content support for Cascading Style Sheets (CCS) 

' domain rames' ^"^""'^ '""'""'^ '""'«P'e 

• Intennationalized for double byte and most European languages 

AppShield also works seamlessly with volatile source IP addresses (e.g.. requests originated by AOL 

So^f^iTili?'"''''*®? ^ environment for applications through verification methods that assert that 

the application protocols are correct so that the application is us^ the way It was desianed AnSh S 

S[o^nl '°"r 1?P'L^*'°" "° applications protected wfth Ap^hiefd d'o no, need to be 
«nH H« ^ ? vvith application hacking. Legacy applications are automatically protected with ADDShield 
and do not need to be retrofitted. Secured applications can safely assume that selertio^s are aiwLv^ 
within a legal range (hypertinks. fom, options, etc.); read-only client-side data rLmI?n^ 
(hidden field, cookies, etc.); and free-fom,at input is bound to be vatd ( text Lfds pasTworS fields 
By using AppShield. security is implemented without impeding your web aJplSSonrSSe^v allow S 
your customers to access your applications to their fullest extent without aSL^ anyone TtSle^^^^ 
beyond their design scope and thus keeping your site safe and secured. ^ 

The integrity of an e-Business web site is the enterprise equivalent of national s*.riiritw r^r^r.^,.:^^ 
Snnof^^r ' ""'f'f *° ""f^.*"^ °' sites'and- fhe dIgSS rssLtMhTy^'ho^sr^^^ 

mZ? ^l^T'"^^^ for apphcation-level security glitches to be discovered and fixed mlnual"y - TtTI 
'^P"*^*'"". customer loyalty. Companies that address the applicaHon securit? 
problem wrth^ more appropriate solutions, such as Sanctum's AppShield. will find themsSCes^ an 
moi«nn .r*"", marketplace. As the on£ ICSA certLd ApplSn Fir^wa^^^ 
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